Reader Services

Enterprising Developments

Data Security is Most Vulnerable on the Inside

The greatest threat to company data isn’t coming from those young hackers on the other side of the world, it's coming from your trusted administrator down the hall, or your trusted third-party service partner. They may not mean to cause problems, but if security policies are lax, they may inadvertently leave laptops full of personally identifiable information in coffee shops or in the backs of cars.

That's the gist of a survey I recently helped conduct among 350 IT executives, as part of my work with Unisphere Research. In this year's survey, human error has beat out internal hackers or unauthorized users as the biggest security risk. More than three-fifths of respondents send actual copies of enterprise production data to other sites inside and outside the enterprise, and have multiple copies of data moving between departments.

In addition, while audits are often cited as a security process employed, these audits are likely only to occur once every few months—leaving plenty of time for internal hackers or mistakes to go unnoticed.

The solution is encryption or data masking to render the data useless to unauthorized parties. However, the survey finds fewer than a third of respondents encrypt all sensitive data on disk or in motion.

For a wake-up call of how frequently and easily internal breaches happen, check out the latest updates on the PrivacyRights.org timeline. Mind you, these are the publicly reported incidents. The following summary of insurance sector reports occurred just within the last three months—I published an earlier update in September. Note that while one incident involved outside hackers, the remainder involved employees, administrators, and partners who got a hold of the data.

Midwest insurance company: “A portion of the computer network used by [employees] and agents was breached by cyber criminals on October 3. The attack was discovered on the same day and contained. On October 16, it was determined that names, Social Security numbers, driver's license numbers, dates of birth, marital status, gender, occupation and employer information had been stolen.”

Eastern insurance agency: “An employee may have performed unauthorized searches on clients. The employee is no longer with the company. Names, Social Security numbers, addresses, dates of birth, and driver's license numbers may have been exposed. The potential breach was discovered in July and clients were notified in October after their contact information was confirmed.”

Western health insurer: “Recruitment employee mistakenly sent an email to unauthorized party on August 24. Former employees who left between 1990 and 2006 may have had their names and Social Security numbers exposed. The analysis also revealed that the email had been deleted and could no longer be accessed.”

Southeastern health insurer: “A claims specialist stole the personal information of at least 32 clients. The documents information was later found on a man who was arrested after a traffic stop in 2011. The man who was arrested never worked for [the insurer] and the dishonest employee who stole the documents is believed to have separated from [the insurer].”

Northeastern credit union: “Two unencrypted backup tapes were discovered missing on September 10. They were lost sometime between August 27, and September 10. Names, Social Security numbers, financial account information, driver's license numbers, and transaction records were exposed.”

Eastern services company: “The theft of a laptop resulted in the exposure of sensitive information. The laptop contained names, Medicaid numbers, and short summary information used for administrative purposes..”

Northeastern health insurer: “A vendor misused employee information. The misuse appears to have been limited to one instance. Names, Social Security numbers, dates of birth, compensation information, and bank account information may have been exposed.”

Northeastern financial services company: “A server that held TIFF images of customer financial applications was accessed by an unauthorized party. Customers who applied for brokerage accounts, life insurance and annuities, and provided other financial applications may have had their names, Social Security numbers, addresses, email addresses, government issued identification numbers, and financial account information exposed. Named beneficiaries and other family members may have also had their information exposed.”

Midwest life insurance company: “A former financial planner stole sensitive information from approximately 3,000 clients and used it to open new accounts, make purchases, receive cash advances, and reroute client mail until his arrest in August of 2011. Client names, Social Security numbers, contact information, and financial account information were exposed. He was sentenced to two years in prison and three years of probation. He will also have to pay $48,488.66 in restitution.

Midwest P&C insurance company: “An employee was caught misusing customer information on July 28. The dishonest employee had been improperly using customer names, Social Security numbers, addresses, dates of birth, and credit card numbers for at least two months. An unspecified number of customers had fraudulent online purchases made in their names.”